CVE-2026-33235 - Vulnerability Details

Description

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions prior to 0.6.52, the Fill Text Template block is vulnerable to a Denial of Service (DoS) attack. While the backend implements a SandboxedEnvironment to prevent unauthorized attribute access (e.g., blocking __class__), it fails to limit the computational complexity or execution time of the expressions. An attacker can input computationally expensive Python/Jinja2 expressions that consume the server's CPU and memory, leading to a complete system hang or crash. In multi-tenant or self-hosted environments, this results in a complete service outage and "noisy neighbor" effects that require manual administrative intervention to recover. This issue has been fixed in version 0.6.52.

Published: 2026-06-24

Score: 7.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

AutoGPT prior to 0.6.52 allows users to supply computationally expensive Python/Jinja2 expressions to the Fill Text Template block. The backend sandboxing blocks unauthorized attribute access, but does not limit execution time or algorithmic complexity. An attacker can submit such expressions, causing excessive CPU and memory usage that can freeze or crash the server, resulting in a complete service outage and noisy‑neighbor effects.

Affected Systems

The vulnerability affects all installations of Significant‑Gravitas AutoGPT with versions earlier than 0.6.52, regardless of deployment model, including self‑hosted or multi‑tenant environments.

Risk and Exploitability

The CVSS score of 7.7 indicates a high impact with medium to high exploitation difficulty. EPSS data is not available, and the vulnerability is not listed in CISA KEV, so the likelihood of exploitation is currently unknown but the potential impact is significant. The attack vector is inferred to be local or remote input to the Fill Text Template block, where an attacker can submit malicious expressions that will consume server resources until the process fails or is terminated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Significant-Gravitas

AutoGPT

affected

Version	Status	Constraints
`>= 0.1.0, < 0.6.52`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AutoGPT to version 0.6.52 or later to apply the vendor patch that limits expression complexity and execution time, addressing the resource exhaustion weakness (CWE‑400).
Configure operating‑system or container resource limits to cap CPU and memory usage for the AutoGPT process, reducing the impact of any unexpected resource consumption.
Disable or restrict usage of the Fill Text Template block in production environments until the patch is applied, or monitor template submissions for unusually large or complex expressions.

Generated by OpenCVE AI on June 25, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.52
https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ppw9-h7rv-gwq9

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions prior to 0.6.52, the Fill Text Template block is vulnerable to a Denial of Service (DoS) attack. While the backend implements a SandboxedEnvironment to prevent unauthorized attribute access (e.g., blocking __class__), it fails to limit the computational complexity or execution time of the expressions. An attacker can input computationally expensive Python/Jinja2 expressions that consume the server's CPU and memory, leading to a complete system hang or crash. In multi-tenant or self-hosted environments, this results in a complete service outage and "noisy neighbor" effects that require manual administrative intervention to recover. This issue has been fixed in version 0.6.52.
Title		AutoGPT: Denial of Service (DoS) via Resource Exhaustion in text templating features
Weaknesses		CWE-400
References		https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.52 https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ppw9-h7rv-gwq9
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T20:52:00.388Z

Updated: 2026-06-24T20:52:00.388Z

Reserved: 2026-03-18T02:42:27.508Z

Link: CVE-2026-33235

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses

CWE-400
Uncontrolled Resource Consumption

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object